Analysis
-
max time kernel
16s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-07-2021 07:08
Behavioral task
behavioral1
Sample
EC833EB164E86C797DF3DAB47F6E0774.exe
Resource
win7v20210410
General
-
Target
EC833EB164E86C797DF3DAB47F6E0774.exe
-
Size
105KB
-
MD5
ec833eb164e86c797df3dab47f6e0774
-
SHA1
ba94798452ccd67cc2cd5f41bfa945b614205ab7
-
SHA256
c0150543944bc0dd08e602f453da6a03fc44c535bf5863a1b75b956ec1da3e3a
-
SHA512
b1c9b09a8c8381145b309ca7a74540c0ca42e5ee6275b431ca2f1b45a1b5ed9005bda2c12b5a01830cbd96c25b1e2565d67357c1519538a75bc4051506907a41
Malware Config
Signatures
-
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
-
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
EC833EB164E86C797DF3DAB47F6E0774.exedescription pid process Token: SeImpersonatePrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeTcbPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeChangeNotifyPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeCreateTokenPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeBackupPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeRestorePrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeIncreaseQuotaPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeAssignPrimaryTokenPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeImpersonatePrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeTcbPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeChangeNotifyPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeCreateTokenPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeBackupPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeRestorePrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeIncreaseQuotaPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeAssignPrimaryTokenPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeImpersonatePrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeTcbPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeChangeNotifyPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeCreateTokenPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeBackupPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeRestorePrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeIncreaseQuotaPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeAssignPrimaryTokenPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeImpersonatePrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeTcbPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeChangeNotifyPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeCreateTokenPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeBackupPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeRestorePrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeIncreaseQuotaPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeAssignPrimaryTokenPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeImpersonatePrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeTcbPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeChangeNotifyPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeCreateTokenPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeBackupPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeRestorePrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeIncreaseQuotaPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe Token: SeAssignPrimaryTokenPrivilege 568 EC833EB164E86C797DF3DAB47F6E0774.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EC833EB164E86C797DF3DAB47F6E0774.exedescription pid process target process PID 568 wrote to memory of 2804 568 EC833EB164E86C797DF3DAB47F6E0774.exe cmd.exe PID 568 wrote to memory of 2804 568 EC833EB164E86C797DF3DAB47F6E0774.exe cmd.exe PID 568 wrote to memory of 2804 568 EC833EB164E86C797DF3DAB47F6E0774.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EC833EB164E86C797DF3DAB47F6E0774.exe"C:\Users\Admin\AppData\Local\Temp\EC833EB164E86C797DF3DAB47F6E0774.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259291343.bat" "C:\Users\Admin\AppData\Local\Temp\EC833EB164E86C797DF3DAB47F6E0774.exe" "2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259291343.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
memory/2804-114-0x0000000000000000-mapping.dmp